You do not need a six-figure platform to run a credible, defensible cyber risk assessment. The foundation of the practitioner's toolkit is mostly free, published by standards bodies, and available right now. The challenge is knowing which risk assessment tools to reach for, in what order, and for what purpose.
This post is a named shortlist organized by how analysts actually work: start with a methodology, apply scoring signals to prioritize findings, track risks in a register, and feed the whole thing with scanner data. A separate post covers Choosing Risk Assessment Software: A 2026 Buyer's Guide if you are evaluating commercial platforms.
Why the toolkit matters in 2026
The FIRST mid-2026 vulnerability forecast projects roughly 66,000 CVEs for the year, driven partly by AI-assisted discovery and rising CNA activity. That number sounds alarming. But when you filter for real-world risk using the CISA Known Exploited Vulnerabilities catalog and EPSS scores above a meaningful threshold, the patching burden has not risen at the same rate. Volume is not the same as risk. A sound risk assessment process is what separates an organization that remediates what matters from one that remediates at random.
Methodologies as risk assessment tools
Frameworks are tools. They give an assessment a repeatable structure that regulators, auditors, and boards can verify. Pick one as your primary spine and treat the others as supplemental lenses.
NIST SP 800-30 and the Risk Management Framework
NIST SP 800-30 Rev. 1 is the federal guide for conducting information security risk assessments. It defines threat sources, threat events, vulnerabilities, likelihood, impact, and a tiered model that connects system-level findings to enterprise decisions. The companion NIST Risk Management Framework (RMF) wraps the process in a full lifecycle from categorization through continuous monitoring.
Best for: organizations under federal requirements (FedRAMP, FISMA, CMMC) or anyone who wants a thorough, step-by-step template. The document is dense but free, and its appendices include ready-to-use likelihood and impact rating tables.
FAIR and Open FAIR
Factor Analysis of Information Risk (FAIR) is the leading standard for quantifying cyber risk in financial terms. Where NIST gives you red-amber-green likelihood ratings, FAIR gives you loss exceedance curves and expected annual loss in dollars. Open FAIR, maintained by The Open Group, is the published body of knowledge behind the standard.
Best for: teams whose stakeholders speak in dollars, not heat maps. FAIR is especially useful for board-level reporting and for ranking competing remediation investments. It has a learning curve, but free introductory resources from the FAIR Institute make the core model accessible without buying tooling.
CIS RAM
CIS RAM (Risk Assessment Method) is a free methodology developed by HALOCK Security Labs with the Center for Internet Security. It is built to be used alongside the CIS Controls and helps organizations assess risk in a way that demonstrates "reasonable" security to regulators and courts. CIS RAM aligns to NIST SP 800-30 and ISO 27005, so outputs map cleanly across them.
Best for: mid-market organizations already using the CIS Controls who want an assessment method that connects directly to their control framework and meets legal defensibility standards.
OCTAVE
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), from Carnegie Mellon's Software Engineering Institute, emphasizes asset-centric risk identification driven by operational teams rather than outside consultants. The Allegro variant is sized for smaller organizations, and the newer FORTE bridges executive and practitioner views using enterprise risk management principles.
Best for: organizations that want risk assessment driven from inside the business unit. OCTAVE is the oldest method on this list and is no longer actively developed, but its asset-centric approach still works well when non-security staff need to articulate the data and processes they depend on.
ISO 27005:2022
ISO/IEC 27005:2022 is the international standard for information security risk management. The 2022 revision aligns to ISO 27001:2022 and ISO 31000, adopts ISO 31000 terminology, and introduces both event-based and asset-based risk identification. It is the natural choice if your organization is pursuing ISO 27001 certification.
Best for: organizations in regulated industries outside the US federal space, or any team building an ISMS that needs a globally recognized methodology.
Free scoring and exploit feeds
Methodology tells you how to structure the assessment. Scoring feeds tell you where to look first.
| Signal | What it measures | Source |
|---|---|---|
| CVSS v4.0 | Severity of vulnerability characteristics | FIRST.org |
| EPSS | Probability of exploitation in 30 days | FIRST.org/epss |
| CISA KEV | Confirmed active exploitation in the wild | CISA.gov |
CVSS v4.0
CVSS v4.0, published in November 2023, scores vulnerability severity across Base, Threat, Environmental, and Supplemental metric groups. The Base score describes inherent characteristics, the Threat score adjusts for known exploit availability, and the Environmental score adjusts for your deployment context. CVSS on its own is not a prioritization tool, because a high-severity flaw on an isolated system is not the same risk as a medium-severity flaw on an internet-facing authentication endpoint. Feed CVSS into your methodology alongside context.
EPSS
The Exploit Prediction Scoring System (EPSS) assigns each CVE a probability (0 to 1) that it will be exploited in the wild within 30 days. Version 4, released in 2025, added contextual threat-intelligence inputs (see the EPSS model documentation). As of mid-2026, EPSS publishes a daily score for every published CVE, well over 300,000 of them. EPSS is one of the most actionable free signals available, because it answers the question practitioners actually have: of all these vulnerabilities, which are attackers using right now?
CISA KEV catalog
The CISA Known Exploited Vulnerabilities catalog lists CVEs with confirmed active exploitation, maintained under Binding Operational Directive 22-01. The catalog held more than 1,600 entries as of June 2026. Every CVE on the list is something an attacker has already shown the ability to exploit against a real target, so KEV membership should be a near-automatic trigger for remediation priority.
Open-source GRC and risk-register tooling
Once you have a methodology and scoring signals, you need somewhere to track findings as risks over time.
Eramba (community edition)
Eramba is the veteran of open-source GRC, started in 2007 by CISOs frustrated with expensive commercial platforms. The Community Edition is free with no user or data limits. It handles risk management, compliance mapping, incident tracking, and links risks to policies so you can track control effectiveness over time. The tradeoff is a meaningful learning curve and limited automation in the free tier, but the codebase is battle-tested across many compliance cycles.
Best for: organizations that need a structured, self-hosted risk register and can invest time in setup. Also worth a look: CISO Assistant and SimpleRisk as lighter alternatives.
The spreadsheet reality
No shortlist is honest without admitting that most small and mid-size teams run their risk register in a spreadsheet. NIST SP 800-30 Appendix H provides a risk register template, and the CIS RAM package includes worksheets. A well-maintained spreadsheet aligned to a recognized methodology is more defensible than a poorly configured GRC platform. Start there if you lack the resources to stand up tooling, and migrate when the friction of the spreadsheet exceeds the friction of a tool.
Scanners that feed the assessment
Risk assessments do not generate their own vulnerability data. They consume it from scanning tools and then apply methodology, scoring signals, and business context on top.
For a detailed comparison of scanning and VM platforms, see our roundup of vulnerability management tools. For the prioritization philosophy behind all of it, see risk-based vulnerability management. In the assessment workflow, scanners feed the asset and vulnerability inventory, CVSS and EPSS score each finding, KEV flags confirmed threats, and your chosen framework structures the risk statement and treatment decision.
What scanners cannot tell you on their own is whether a finding is actually reachable and exploitable in your environment. A critical CVSS score on an internal service behind three network controls is a very different risk than the same CVE on an exposed API endpoint. That gap between a scanner finding and a confirmed exploitable path is where validation matters.
BestDefense's Vortex is built for exactly that step. It takes the candidates your assessment surfaces and tests them, confirming which are genuinely reachable before you spend a remediation cycle on them. Picture it as the stage that sits after your scoring feeds and before your worklist: EPSS tells you what is statistically likely, KEV tells you what is confirmed in the wild, and Vortex tells you what is exploitable in your environment in particular.
Summary table
| Category | Tool / resource | Cost | Best for |
|---|---|---|---|
| Federal methodology | NIST SP 800-30 / RMF | Free | FedRAMP, FISMA, CMMC environments |
| Financial quantification | FAIR / Open FAIR | Free (standard) | Board-level dollar-denominated risk |
| Controls-aligned method | CIS RAM | Free | Mid-market CIS Controls users |
| Asset-centric method | OCTAVE / Allegro | Free | Operationally driven, SMB-friendly |
| ISMS-aligned standard | ISO 27005:2022 | Paid (standard) | ISO 27001 certification track |
| Severity scoring | CVSS v4.0 | Free | Baseline severity rating |
| Exploitability probability | EPSS | Free | 30-day exploitation likelihood |
| Confirmed active threats | CISA KEV catalog | Free | Confirmed in-the-wild exploitation |
| Open-source GRC | Eramba Community | Free | Self-hosted risk register |
| Scanner data | See VM tools post | Varies | Asset and vulnerability inventory |
Choosing your starting point
If you are running a first assessment with no existing framework commitment, start with NIST SP 800-30 for structure, EPSS and KEV for prioritization signals, and a spreadsheet template for the register. That combination is free, auditor-recognized, and enough to produce a defensible output.
As programs mature, FAIR adds financial fluency for executive audiences, CIS RAM tightens the link to control implementation, and a tool like eramba reduces the spreadsheet maintenance burden. The move to a commercial platform makes sense when you need workflow automation, evidence collection at scale, or integration with ticketing and SIEM. That decision is covered in Choosing Risk Assessment Software: A 2026 Buyer's Guide.
The core point stands: the practitioner's toolkit for a credible risk assessment is mostly free. The expensive part is the time to do it well, and having the validation layer to confirm which risks are real.
Want to see the validate step run against your own findings? Get a Demo and watch Vortex separate the confirmed attack paths from the noise.
